This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Extreme Control as External RADIUS in Cloud IQ

Extreme Control as External RADIUS in Cloud IQ

Go to solution
RobertD1
Contributor III

‎02-22-2022 04:21 AM

Hello,

I understand that it is possible to create a network policy in Cloud IQ for Wireless which can use External RADIUS server for authentication (Extreme A3, NPS, Extreme Control). Do the APs (AP3705C) which are onboarded in the cloud also need to be added under Access-Control>Switches? If so what RADIUS Attributes should they use?

Thanks,
Rob
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
RobertD1
Contributor III

‎03-01-2022 02:05 PM

I have got this to work! After solving the first problem with the developer profile (redirect URI was missing) then the first task passed and data was collected. I then realized the subsequent tasks also had scripts which when reviewed revealed what I needed to do in addition. I had to create a profile for the new device to use (or alter the script) and I added another IF statement for the model of AP I was using (AP305C) and in the last script alter the primary RADIUS server IP. That's it! I've learnt a lot from this and will be very useful for bulk importing and integrating XIQ WAPs with XIQ-SE with Extreme Control.

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
RobertD1
Contributor III

‎02-24-2022 12:51 PM

I think I need to update the script first...

###################################################################
# Update the Bearer Token, client secret, client-id,
# redirect-uri, and ownerid in the curl_cmd variable to
# match your developer credentials, bearer token from
# XIQ, and VIQ ID.
# Developer credentials: https://developer.aerohive.com/
# Bearer Token: XIQ Interface/Global Settings/ API Token Management
# VIQ ID: From the XIQ interface "About" menu option
###################################################################

curl_cmd = 'curl -s -k --header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-ID: xxxxxxxx"'
curl_cmd = curl_cmd + ' --header "X-AH-API-CLIENT-REDIRECT-URI: https://x.x.x.x"'
curl_cmd = curl_cmd + ' https://va2.extremecloudiq.com/xapi/v1/monitor/devices{?ownerId=xxxxxx}'

I've found the ownerId and REDIRECT-URI address (my XIQ-SE) but struggling to find the CLIENT-ID and complete the first three lines?
0 Kudos

Go to solution
RobertD1
Contributor III

‎02-24-2022 11:18 AM

I have used the document and managed to get an XIQ WAP to interact with the Access-Control engine. I created three SSIDs and all three worked (for PPSK, Open and Secure).

One thing that failed in my setup was the Workflow to Import the XIQ APs. When I ran it it said it succeeded very quickly as if it did not run through all of the tasks. No APs were added to XIQ-SE and no APs were added to Access-Control.

The output for the workflow showed an error:

Script Name: Process New XIQ Devices_Extract_All_Devices_from_XIQ
Date and Time: 2022-02-24T16:19:51.443
XIQ-SE User: netsight
XIQ-SE User Domain:
IP:
code: GatewayErrorCode.CLIENT_VERIFICATION_FAILED
message: Client Credential verification failed.
rawMessage: XCKCKzThhF
status: 401

I imported the workflow and appeared to succeed but nothing happened. Any ideas?

Thanks
Rob
0 Kudos

Go to solution
Ryan_Yacobucci
Extreme Employee

‎02-23-2022 08:11 AM

Hello Robert,

That is a great document that was developed by our TME team. I use it myself all the time. 

To answer your questions for future use: 

The AP's needed to be added into the Control --> Switches tab. 

Extreme Control/A3 both can have local users or integration with AD. 

Thanks
-Ryan



c34b3bc41b8040d7a848ffe2ab4fa3af.png
Adding APs into the Control switches tab will add them to a clients.conf file that will make them authorized for RADIUS communication. Without them in the clients.conf file NAC will not respond to RADIUS requests from their IP address. 

We use filter-ID for role assignment with XIQ. 

0 Kudos

Go to solution
AnonymousM
Valued Contributor II

‎02-23-2022 08:11 AM

This post was removed
0 Kudos

Go to solution
RobertD1
Contributor III

‎02-22-2022 01:01 PM

Update... I have found this document to answer quite a few of the questions I had so I will try this out. 

https://documentation.extremenetworks.com/ExtremeCloudIQ/HowTo/ExtremeControl_for_XIQ-SE_and_XIQ_APs_How-to_Guide.pdf

These are the sort of guides we all find useful and give great guidance with examples which are easy to follow and apply. It would be difficult to know what to do otherwise.
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN